Splunk® Common Information Model Add-on

Common Information Model Add-on Manual

Download manual as PDF

Download topic as PDF

Release notes for the Splunk Common Information Model Add-on

Version 4.14.0 of the Splunk Common Information Model Add-on was released on 10/18/2019.

New features

Version 4.14.x of the Splunk Common Information Model Add-on includes the following new features.

Enhancement Description
New Event Signatures datamodel This uses a new tag track_event_signatures that can be applied at the sourcetype level:
{{[sourcetype=WinEventLog:Security] 
track_event_signatures = enabled}}

See Event Signatures.

Search results to help prioritize fields to map when normalizing See Make your fields CIM-compliant.
Framework enhancement for adaptive response actions Now supports digest_mode behavior for actions that require per-result-alerting, such as email.
Intrusion Detection data model updates Fields added for file_hash, file_name, and file_path. The allowed and blocked prescribed values are added to the action field. See Intrusion Detection.
CIM Filters update The cim_filter_known_scanners macro is updated to use NOT instead of !=. See Use the CIM Filters macros to exclude data.
Python 2 and Python 3 support included CIM 4.14.x is Python 2 and 3 compliant and is fully compatible with all versions of Splunk Enterprise 7.0 and above, plus future versions of Splunk Enterprise that ship with the Python 3 interpreter. See Upcoming changes to Splunk Enterprise.

Upgrade requirements

Splunk platform version Upgrade activity
7.0.x or later If you apply custom tags to data mapped to CIM data models and you use these tags in searches and search filters, add these tags to the whitelists for those models. See Set up the Splunk Common Information Model Add-on for details about the tags whitelist field.

Compatibility

Version 4.14.x of the Splunk Common Information Model Add-on requires Splunk platform version 7.0.x or later. Some workarounds, such as the datamodels spec workaround for tags_whitelist and poll_buckets, are no longer available in version 7.0.x and later. This might lead to btool check warnings at startup.

Fixed issues

This version of the Splunk Common Information Model Add-on fixes the following issues.

Date resolved Issue number Description
2019-09-17 CIM-869 Adhoc Modular Actions: Splunk users with spaces in their name unable to dispatch adhoc actions
2019-05-06 CIM-813 Fields with leading uppercase do not MV properly

Known issues

This version of the Splunk Common Information Model Add-on has the following reported known issues. If this section is empty, this release has no reported known issues.

Deprecated features

As of version 4.14.0:

  • N/A

As of version 4.13.0:

  • N/A

As of version 4.12.0:

  • The modaction_invocations_rest_handler.py (alerts/modaction_invocations) has been deprecated and will be removed in a future version.
  • The following previously deprecated configurations have been removed.
    • `search_activity` macro
    • `search_typer` macro
  • Deprecated data models: Application State and Change Analysis

As of version 4.11.0:

  • The index definition cim_summary has been removed.
  • Several configurations are deprecated and will be removed in a future release.
    • datamodel_for_audittrail transform
    • savedsearch_name_for_audittrail transform
    • user_for_audittrail transform

Third-party software attributions

The Splunk Common Information Model Add-on does not incorporate any third-party software or libraries.

PREVIOUS
Set up the Splunk Common Information Model Add-on
  NEXT
Support and resource links for the Splunk Common Information Model Add-on

This documentation applies to the following versions of Splunk® Common Information Model Add-on: 4.14.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters